A look at all things to do with NetScanTools® Products. Inside you will find tips and comments about using our programs and even off topic comments.

Monday, March 9, 2015

WinPcap Installation, Status and other Tips

WinPcap is an essential packet capturing driver for many programs, especially Wireshark and also our own NetScanTools Pro. I have been working with a few of our customers who have had problems getting it installed and properly running on Windows 8.1. What I've done here is gather together a few important tips that you can use to make sure it is running.

This post is current as of WinPcap 4.1.3 and is written from the perspective of Windows 7, 8.1 and 10.

1. How do you tell if WinPcap is installed?

Quick check: WinPcap will show up in Control Panel/Programs and Features. This is not a guarantee that it is properly installed or running.

Detailed check: WinPcap has three main components. Here is where to find them on a 64 bit Windows operating system:

From an administrator Command Prompt, enter this and look at the STATE to make sure it is running:

C:\WINDOWS\system32>sc start npfSERVICE_NAME: npf

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

4. How do you stop WinPcap?

From an administrator Command Prompt, enter this and look at the STATE to make sure it is stopped. If it does not stop, you need to exit any programs using it.

C:\WINDOWS\system32>sc stop npfSERVICE_NAME: npf

TYPE : 1 KERNEL_DRIVER

STATE : 1 STOPPED

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

5. Some people have trouble starting Wireshark, it starts to load OK but stops at Configuration 100%. What can be done?

Remember the START_TYPE entry from number 2 above? It needs to change. From an administrator Command Prompt, enter this command then reboot your system, then try Wireshark again. The space after start= is required.

C:\WINDOWS\system32>sc config npf start= delayed-auto

[SC] ChangeServiceConfig SUCCESS

6. How can I tell which program is currently using WinPcap?

That can be a little difficult, but if a program is actively using WinPcap there is a way to find out by using Sysinternal's Process Explorer.

Enter wpcap or packet and press Search. If NetScanTools Pro is running, it shows nstpro.exe, PID, DLL and C:\Windows\SysWOW64\wpcap.dll - in other words, if a program is actively using WinPcap, it will show up there.

I hope these WinPcap tips help you, please let me know if you have any others to share.